Autonomous distributed forwarding plane traceability based anomaly detection in application traffic for hyper-scale SD-WAN

ABSTRACT

Some embodiments of the invention provide a method for detecting and remediating anomalies in an SD-WAN that includes a controller, an enterprise datacenter, and multiple branch sites each having at least one edge node that includes a set of packet processing stages. At the controller, the method receives from a particular node of a particular branch site a flow notification indicating detection of an anomaly on the particular node. Based on the anomaly, the method dynamically generates trace monitoring rules that specify one or more flows to be traced and provides the trace monitoring rules to the particular node and at least one other node of another branch site. From the particular node and the at least one other node, the method receives trace monitoring results collected in response to the provided trace monitoring rules, and analyzes the results to identify any anomalies and dynamic actions to correct the anomalies.

BACKGROUND

Today, exponential growth of software-defined wide area networks (SD-WANs) results in large numbers of distributed nodes that form complex overlay networks. These thousands of nodes that handle application traffic can experience a multitude of issues in the form of traffic impairments and performance degradation over a period of time. These large SD-WANs present various challenges for isolating and identifying issues relating to various packet flows such as a lack of time and energy to co-relate issues across thousands of SD-WAN nodes. Traditional methods for tracking and tracing failures across various traffic paths involves capturing debug logs by establishing multiple direct SSH sessions to each node across the entire SD-WAN network path relating to the traffic. Furthermore, current implementations do not provide any way to dynamically isolate out all occurrences of similar anomalies in application traffic across all of the nodes in an enterprise at the same time.

BRIEF SUMMARY

Some embodiments of the invention provide a method for detecting and remediating anomalies in a software-defined wide area network (SD-WAN) that includes at least a controller (e.g., a VeloCloud Orchestrator (VCO)), an enterprise datacenter, and multiple branch sites. Each of the branch sites in the SD-WAN includes at least one edge node that includes a set of packet processing stages for processing packet flows in the SD-WAN. In some embodiments, a particular node receives, from the controller, a set of one or more trace monitoring rules specified for a particular packet flow. The particular node determines that a first packet received at the particular node belongs to the particular packet flow and matches at least one trace monitoring rule. Based on these determinations, the particular node specifies the first packet as a packet that should be trace monitored by each packet processing stage of the particular node. As the first packet is processed by each packet processing stage, the particular node generates trace monitoring results to be provided to the controller for analysis.

In some embodiments, the packet processing stages include an ingress stage, a firewall stage, a routing stage, a quality of service (QoS) stage, a network address translation (NAT) stage, and an egress stage. The ingress stage, in some embodiments, is responsible for determining whether packets received at the particular node belong to a packet flow that is marked for trace monitoring and whether these packets match at least one trace monitoring rule. When a packet matches at least one trace monitoring rule in some embodiments, the ingress stage marks the packet (e.g., sets a flag on the packet) in order to identify the packet to the remaining packet processing stages as a packet that should be trace monitored. In addition to the trace monitoring rules, some embodiments also define a set of exceptions specifying thresholds, which, when met, are indicative of an anomaly. For example, some embodiments define exception rules specifying a threshold for a number of dropped packets.

As each of the packet processing stages processes a packet marked for trace monitoring by the ingress stage, they generate trace monitoring data and provide this data to a trace monitor agent executing on the particular node, according to some embodiments. The trace monitor agent, in some embodiments, aggregates the received data and provides aggregated trace monitoring results on a per-flow basis to the controller for analysis. In some embodiments, the trace monitor agent provides the results to the controller via a control plane of the particular node on which the trace monitor agent executes. The trace monitor agent only provides the trace monitoring results to the controller after trace monitoring for a packet flow has been completed on the node (e.g., after a number of packets specified for trace monitoring have been processed), according to some embodiments.

Some embodiments also include a hierarchical order of expansion for anomaly detection. In other words, the controller can generate trace monitoring rules in a hierarchical order so that dynamic anomaly detection can be grouped based on, for example, customer need. At the flow level, trace monitoring rules in some embodiments can be specified to target a particular packet flow across nodes in the SD-WAN. At the application level, the controller in some embodiments targets a packet flows to or from a specific application. In some embodiments, the controller may generate trace monitoring rules at the profile level such that all nodes belonging to a specified profile receive the trace monitoring rules. Lastly, in some embodiments, the controller may generate trace monitoring rules at the enterprise level for all of the nodes in an enterprise.

After receiving trace monitoring results from a node, the controller in some embodiments analyzes the results to identify any anomalies. Also, in some embodiments, the controller determines one or more remedial actions for correcting the identified anomalies. The controller performs the one or more dynamic actions to correct the identified anomalies in some embodiments, or pushes the dynamic actions to one or more nodes to apply in order to correct the identified anomalies.

In some embodiments, the controller generates trace monitoring rules in response to receiving a notification from one or more nodes indicating anomalies have been detected on the one or more nodes. Alternatively, or conjunctively, some embodiments provide a user interface (UI) to allow users to request trace monitoring for specific packet flows, nodes, etc. In some such embodiments, after the controller has received results from the nodes (i.e., in response to having provided trace monitoring rules in accordance with a user request), it provides a display through the UI that includes a visualization of the nodes involved in the trace monitoring, their packet processing stages, and paths traversed by packets and packet flows between these nodes.

The visualization in the provided display, in some embodiments, provides tools for identifying and, in some embodiments, remediating any detected anomalies. For example, any nodes, packet processing stages, and paths for which an anomaly has been detected may appear in a color (e.g., red) that is different from another color (e.g., green) in which the nodes, packet processing stages, and paths for which no anomalies have been detected appear.

Additionally, some embodiments allow a user to select individual packet processing stages to see information (e.g., in a pop-up window) regarding the packet flow processed by the stage when the anomaly was detected as well as a description of the error or anomaly experienced on that stage. More specifically, the packet flow information includes source and destination network addresses, source and destination ports, and application ID, according to some embodiments. The remainder of the information in some embodiments includes time elapsed, and stage status (i.e., pass or fail), according to some embodiments. As mentioned above, some embodiments may also include a remedial action, selectable by the user, to correct the detected anomaly.

The preceding Summary is intended to serve as a brief introduction to some embodiments of the invention. It is not meant to be an introduction or overview of all inventive subject matter disclosed in this document. The Detailed Description that follows and the Drawings that are referred to in the Detailed Description will further describe the embodiments described in the Summary as well as other embodiments. Accordingly, to understand all the embodiments described by this document, a full review of the Summary, the Detailed Description, the Drawings, and the Claims is needed. Moreover, the claimed subject matters are not to be limited by the illustrative details in the Summary, the Detailed Description, and the Drawings.

BRIEF DESCRIPTION OF FIGURES

The novel features of the invention are set forth in the appended claims. However, for purposes of explanation, several embodiments of the invention are set forth in the following figures.

FIG. 1 conceptually illustrates an SD-WAN that includes multiple branch sites, a controller, and a datacenter hub, according to some embodiments.

FIG. 2 conceptually illustrates a detailed view of an edge node and a controller in an SD-WAN, according to some embodiments.

FIG. 3 conceptually illustrates a process performed by an edge node to apply trace monitoring rules, according to some embodiments.

FIG. 4 conceptually illustrates a process performed by a controller to identify anomalies on edge nodes in an SD-WAN, according to some embodiments.

FIG. 5 conceptually illustrates a process performed by a controller to dynamically detect anomalies at various hierarchical levels in an enterprise, according to some embodiments.

FIGS. 6A-6B illustrate a first example UI for performing trace monitoring and identifying anomalies, according to some embodiments.

FIGS. 7A-7B illustrate a second example UI for performing trace monitoring and identifying anomalies, according to some embodiments.

FIGS. 8A-8C illustrate a third example UI for performing trace monitoring and identifying anomalies, according to some embodiments.

FIG. 9 conceptually illustrates a computer system with which some embodiments of the invention are implemented.

DETAILED DESCRIPTION

In the following detailed description of the invention, numerous details, examples, and embodiments of the invention are set forth and described. However, it will be clear and apparent to one skilled in the art that the invention is not limited to the embodiments set forth and that the invention may be practiced without some of the specific details and examples discussed.

Some embodiments of the invention provide a method for detecting and remediating anomalies in a software-defined wide area network (SD-WAN) that includes at least a controller (e.g., a VeloCloud Orchestrator (VCO)), an enterprise datacenter, and multiple branch sites. Each of the branch sites in the SD-WAN includes at least one edge node that includes a set of packet processing stages for processing packet flows in the SD-WAN. In some embodiments, a particular node receives, from the controller, a set of one or more trace monitoring rules specified for a particular packet flow. The particular node determines that a first packet received at the particular node belongs to the particular packet flow and matches at least one trace monitoring rule. Based on these determinations, the particular node specifies the first packet as a packet that should be trace monitored by each packet processing stage of the particular node. As the first packet is processed by each packet processing stage, the particular node generates trace monitoring results to be provided to the controller for analysis.

In some embodiments, the packet processing stages include an ingress stage, a firewall stage, a routing stage, a quality of service (QoS) stage, a network address translation (NAT) stage, and an egress stage. The ingress stage, in some embodiments, is responsible for determining whether packets received at the particular node belong to a packet flow that is marked for trace monitoring and whether these packets match at least one trace monitoring rule. When a packet matches at least one trace monitoring rule in some embodiments, the ingress stage marks the packet (e.g., sets a flag on the packet) in order to identify the packet to the remaining packet processing stages as a packet that should be trace monitored. In addition to the trace monitoring rules, some embodiments also define a set of exceptions specifying thresholds, which, when met, are indicative of an anomaly. For example, some embodiments define exception rules specifying a threshold for a number of dropped packets.

As each of the packet processing stages processes a packet marked for trace monitoring by the ingress stage, they generate trace monitoring data and provide this data to a trace monitor agent executing on the particular node, according to some embodiments. The trace monitor agent, in some embodiments, aggregates the received data and provides aggregated trace monitoring results on a per-flow basis to the controller for analysis. In some embodiments, the trace monitor agent provides the results to the controller via a control plane of the particular node on which the trace monitor agent executes. The trace monitor agent only provides the trace monitoring results to the controller after trace monitoring for a packet flow has been completed on the node (e.g., after a number of packets specified for trace monitoring have been processed), according to some embodiments.

Some embodiments also include a hierarchical order of expansion for anomaly detection. In other words, the controller can generate trace monitoring rules in a hierarchical order so that dynamic anomaly detection can be grouped based on, for example, customer need. At the flow level, trace monitoring rules in some embodiments can be specified to target a particular packet flow across nodes in the SD-WAN. At the application level, the controller in some embodiments targets a packet flows to or from a specific application. In some embodiments, the controller may generate trace monitoring rules at the profile level such that all nodes belonging to a specified profile receive the trace monitoring rules. Lastly, in some embodiments, the controller may generate trace monitoring rules at the enterprise level for all of the nodes in an enterprise.

After receiving trace monitoring results from a node, the controller in some embodiments analyzes the results to identify any anomalies. Also, in some embodiments, the controller determines one or more remedial actions for correcting the identified anomalies. The controller performs the one or more dynamic actions to correct the identified anomalies in some embodiments, or pushes the dynamic actions to one or more nodes to apply in order to correct the identified anomalies.

In some embodiments, the controller generates trace monitoring rules in response to receiving a notification from one or more nodes indicating anomalies have been detected on the one or more nodes. Alternatively, or conjunctively, some embodiments provide a user interface (UI) to allow users to request trace monitoring for specific packet flows, nodes, etc. In some such embodiments, after the controller has received results from the nodes (i.e., in response to having provided trace monitoring rules in accordance with a user request), it provides a display through the UI that includes a visualization of the nodes involved in the trace monitoring, their packet processing stages, and paths traversed by packets and packet flows between these nodes.

The visualization in the provided display, in some embodiments, provides tools for identifying and, in some embodiments, remediating any detected anomalies. For example, any nodes, packet processing stages, and paths for which an anomaly has been detected may appear in a color (e.g., red) that is different from another color (e.g., green) in which the nodes, packet processing stages, and paths for which no anomalies have been detected appear.

Additionally, some embodiments allow a user to select individual packet processing stages to see information (e.g., in a pop-up window) regarding the packet flow processed by the stage when the anomaly was detected as well as a description of the error or anomaly experienced on that stage. More specifically, the packet flow information includes source and destination network addresses, source and destination ports, and application ID, according to some embodiments. The remainder of the information in some embodiments includes time elapsed, and stage status (i.e., pass or fail), according to some embodiments. As mentioned above, some embodiments may also include a remedial action, selectable by the user, to correct the detected anomaly.

FIG. 1 illustrates an example embodiment of an SD-WAN (also referred to herein as a virtual network) for connecting multiple branch sites to each other and to a controller and at least one datacenter hub. As shown, the SD-WAN 100 includes a controller 110, three branch sites 120-124 that each include an edge forwarding node 130-134 (also referred herein as edge nodes or nodes), a cloud gateway 140, and a datacenter 150 with a hub 145.

The edge nodes in some embodiments are edge machines (e.g., virtual machines (VMs), containers, programs executing on computers, etc.) and/or standalone appliances that operate at multi-computer locations of the particular entity (e.g., at an office or datacenter of the entity) to connect the computers at their respective locations other nodes, hubs, etc. in the virtual network. In some embodiments, the nodes are clusters of nodes at each of the branch sites. In other embodiments, the edge nodes are deployed to each of the branch sites as high-availability pairs such that one edge node in the pair is the active node and the other edge node in the pair is the standby node that can take over as the active edge node in case of failover.

An example of an entity for which such a virtual network can be established includes a business entity (e.g., a corporation), a non-profit entity (e.g., a hospital, a research organization, etc.), and an education entity (e.g., a university, a college, etc.), or any other type of entity. Examples of public cloud providers include Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure, etc., while examples of entities include a company (e.g., corporation, partnership, etc.), an organization (e.g., a school, a non-profit, a government entity, etc.), etc. In other embodiments, hubs like the hub 145 can also be deployed in private cloud datacenters of a virtual WAN provider that hosts hubs to establish SD-WANs for different entities.

In the example SD-WAN 100, the hub 145 is a multi-tenant forwarding element that is deployed on the premises of the datacenter 150. The hub 145 can be used to establish secure connection links (e.g., tunnels) with edge nodes at the particular entity's multi-computer sites, such as branch sites 130-134, third party datacenters (not shown), etc. For example, the hub 145 can be used to provide access from each branch site 120-124 to each other branch site 120-124 (e.g., via the connection links 160 that terminate at the hub 145) as well as to the resources 155 of the datacenter 150. These multi-computer sites are often at different physical locations (e.g., different buildings, different cities, different states, etc.), according to some embodiments. In some embodiments, hubs can be deployed as physical nodes or virtual nodes. Additionally, hubs in some embodiments can be deployed on a cloud (e.g., as a set of virtual edges configured as a cluster).

In the SD-WAN 100, the hub 145 also provides access to the resources 155 of the datacenter 150 as mentioned above. The resources in some embodiments include a set of one or more servers (e.g., web servers, database servers, etc.) within a microservices container (e.g., a pod). Conjunctively, or alternatively, some embodiments include multiple such microservices containers, each accessible through a different set of one or more hubs of the datacenter (not shown). The resources, as well as the hubs, are within the datacenter premises, according to some embodiments. While not shown, some embodiments include multiple different SaaS datacenters, which may each be accessed via different sets of hubs, according to some embodiments. In some embodiments, the SaaS datacenters include datacenters for video conferencing SaaS providers, for middlebox (e.g., firewall) service providers, for storage service providers, etc.

Additional examples of resources accessible via the hub 145, in some embodiments, include compute machines (e.g., virtual machines and/or containers providing server operations), storage machines (e.g., database servers), and middlebox service operations (e.g., firewall services, load balancing services, encryption services, etc.). In some embodiments, the connections 160 between the branch sites and the hub 145 are secure encrypted connections that encrypt packets exchanged between the edge nodes 130-134 of the branch sites and the hub 145. Examples of secure encrypted connections used in some embodiments include VPN (virtual private network) connections, or secure IPsec (Internet Protocol security) connection.

In some embodiments, multiple secure connection links (e.g., multiple secure tunnels) can be established between an edge node and the hub 145. When multiple such links are defined between a node and a hub, each secure connection link, in some embodiments, is associated with a different physical network link between the node and an external network. For instance, to access external networks in some embodiments, a node has one or more commercial broadband Internet links (e.g., a cable mode and a fiber optic link) to access the Internet, a wireless cellular link (e.g., a 5G LTE network), etc. The collection of the edge nodes, gateway, datacenter hub, controller, and secure connections between the edge nodes, gateway, datacenter hub, and controller form the SD-WAN 100.

As mentioned above, the controller 110 communicates with each of the nodes 130-134 at the branch sites 120-124, in some embodiments, to send information such as trace monitoring rules and receive information such as trace monitoring results via the connection links 170A-170C. In some embodiments, the controller 110 also provides trace monitoring rules to, and receives trace monitoring results from, the gateway 140 via the connection link 170D and the hub 145 via the connection link 170E. While illustrated as individual connection links, the links 170A-170E are sets of multiple connection links, according to some embodiments.

In addition to the connection links 170A-170E and 160, edge nodes 132 and 134 are connected via connection link 164, while edge nodes 130 and 132 are connected to the gateway 140 via connection links 162. The gateway 140 in this example is responsible for relaying information between edge nodes (e.g., edge nodes 120 and 122, which do not share a direct connection). Also, the gateway 140 in some embodiments is used to set up direct edge-to-edge connections. In some embodiments, the gateway 140 can be used to provide the edge nodes with access to cloud resources (e.g., compute, storage, and service resources of a cloud datacenter).

In order to process packet flows to and from other elements in the virtual network (e.g., other nodes), the nodes 130-134 each include a set of packet processing stages. FIG. 2 conceptually illustrates a detailed view of an edge node and a controller in an SD-WAN. As shown, the edge node 220 includes a trace monitor 222, a control plane 224, a dynamic multipath selection module 226, and a set of packet processing stages 230-240, while the controller 210 includes a backend node server 212, a database 214, a graphical user interface 216, and a renderer 218.

The packet processing stages 230-240 include an ingress stage 230, a forwarding stage 232, a routing stage 234, a quality of service (QoS) stage 236, a network address translation (NAT) stage 238, and an egress stage 240. The ingress stage 230, in some embodiments, is configured to analyze and realize packets received at the edge node 220, as well as to match received packets to trace monitoring rules to determine whether the packet should be trace monitored. Additionally, when the ingress stage 230 determines that a packet should be trace monitored, in some embodiments, it sets a flag on the packet to indicate to the remainder of the packet processing stages 232-240 that the packet should be trace monitored.

The trace monitor 222, in some embodiments, is a data plane trace monitor that is configured to monitor the packet processing stages 230-240. In some embodiments, when an anomaly is detected during any of the packet processing stages 230-240, the trace monitor 222 sends a flow notification to the controller 210 via the control plane 224 to inform the controller of the detected anomaly. The trace monitor 222 also communicates with the controller 210 through the control plane 224 to receive trace monitoring rules and provide trace monitoring results. That is, when the trace monitor 222 receives trace monitoring data from the packet processing stages 230-240, it publishes consolidated, per-flow level trace monitoring results to the control plane 224 for collection by the backend node server 212 of the controller 210.

In some embodiments, once the backend node server 212 collects the trace monitoring results from the control plane 224, it persists the results to the database 214. Then, the GUI 216 polls the database for the trace monitoring results and calls the renderer 218 to dynamically render a flow diagram illustrating the packet processing stages of the edge node and the trace monitoring results. Alternatively, or conjunctively, the controller in some embodiments analyzes the trace monitoring results, identifies any anomalies, determines one or more remedial actions to correct the identified anomalies, and either applies the remedial action(s) itself, or pushes the remedial action(s) to one or more nodes (e.g., edge nodes, gateways, hubs, etc.) for the trace monitors of the nodes to apply.

FIG. 3 illustrates a trace monitoring process 300 performed by a node (e.g., edge node 220, gateway 140, or hub 145) in some embodiments. The process 300 starts at 305 by receiving, from a controller, trace monitoring rules specified for a particular packet flow. For example, as described above, the controller 210 provides trace monitoring rules to the trace monitor 222 of the edge node 220 via the control plane 224.

In some embodiments, the controller provides the trace monitoring rules to the edge node in response to receiving a flow notification from the edge node indicating an anomaly has been detected on the node. The node sends this flow notification, in some embodiments, based on an exception vector maintained across each of the packet processing stages of the node. The exception vector is associated with threshold limits, as mentioned above, in some embodiments. When a packet flow encounters an exception hitting threshold limit, the node (i.e., the trace monitor of the node) sends the flow notification (e.g., five tuple for the packet flow) to the controller for analysis, according to some embodiments. The controller in some embodiments, then dynamically constructs the trace monitoring rules and pushes the rules to any relevant nodes (e.g., any nodes that may process packets for this packet flow, including the node that sent the flow notification).

Next, the process receives (at 310) a packet. In some embodiments, as described above, packets received at the node are received by the ingress packet processing stage (e.g., packet processing stage 230). The process then determines (at 315) whether the received packet belongs to the particular packet flow for which the trace monitoring rules are specified. In some embodiments, for example, the trace monitoring rules will include any of the source and/or destination network address of the flow, the source and/or destination port of the flow, and an AppID of the flow (e.g., traffic type).

When the process determines (at 315) that the received packet does not belong to the particular packet flow, the process transitions to 325 to process the packet normally (i.e., without performing trace monitoring). Otherwise, when the process determines at 315 that the received packet does belong to the particular packet flow, the process transitions to 320 to determine whether the received packet matches trace monitoring criteria and should be marked for trace monitoring. For example, the trace monitoring rules will specify a number of packets in the particular packet flow that should be trace monitored.

When the process determines at 320 that the packet does not match trace monitoring criteria, the process transitions to 325 to process the packet normally, and then transitions to 340. Otherwise, when the process determines at 320 that the packet does match trace monitoring criteria, the process transitions to 330 to mark the packet for trace monitoring. For example, in some embodiments, the ingress packet processing stage sets a flag on the packet to indicate to the other packet processing stages that the packet should be trace monitored.

After the packet has been marked for trace monitoring at 330, the process performs (at 335) the trace monitoring on the packet as it is processed by each packet processing stage of the node. In some embodiments, for example, the trace monitoring can include recording the amount of time it takes to process the packet at each packet processing stage. After the packet has been processed by all of the stages, the process then determines (at 340) whether trace monitoring for the particular packet flow has been completed. In other words, the process determines whether the number of packets specified for the trace monitoring have all been processed.

When the process determines at 340 that trace monitoring for the particular packet flow has not been completed, the process transitions back to 310 to receive a packet. Otherwise, when the process determines at 340 that trace monitoring for the particular packet flow has been completed, the process transitions to 345 to provide the trace monitoring results to the trace monitor. As described above, each packet processing stage 230-240 on a node 220 collects trace monitoring data for packets that are marked for trace monitoring and provides the data to the trace monitor 222. After 345, the process publishes (at 350) consolidated, per-flow level trace results to the control plane of the node. The process then ends.

In some embodiments, as will be described further below, after the controller has retrieved the trace monitoring results from the control plane of the node, it provides one or more remedial actions to the node (i.e., via the control plane and trace monitor) to be applied by the node in order to correct any identified anomalies and/or prevent future anomalies.

FIG. 4 illustrates a process performed by a controller to perform trace monitoring on a packet flow. The process 400 is performed in conjunction with the process 300 described above, in some embodiments. The process 400 starts (at 410) by receiving a flow notification at the controller from a particular node (e.g., edge node 220, gateway 140, or hub 145) indicating that an anomaly has been detected on the particular node. For example, a node in some embodiments may detect that one or more stages in the packet processing stages of the node have dropped greater than a specified threshold of packets, thus triggering a flow notification to the controller to report the anomaly.

Next, at 420, the controller dynamically generates trace monitoring rules based on the detected anomaly. Continuing with the dropped packet example above, in some embodiments, the controller may generate trace monitoring rules to trace N number of packets belonging to any flows that are processed by the particular node that is experiencing a too-large number of dropped packets. At 430, the controller provides the trace monitoring rules to a set of nodes that includes at least the particular node. As described above, the controller 210 provides the trace monitoring rules to the control plane 224 of the edge node 220, which then provides the trace monitoring rules to the trace monitor 222 to apply to the packet processing stages 230-240.

The controller then retrieves (at 440) trace monitoring results from the control plane of each node in the set of nodes. For example, in some embodiments, the backend node server 212 collects trace monitoring results from the control plane 222. Next, the controller analyzes (at 450) the trace monitoring results to identify any anomalies. Examples of anomalies in some embodiments include exceeding a threshold specified for dropped packets, exceeding a threshold time period for processing a packet, missing a route between nodes, etc.

At 460, the controller determines whether any anomalies have been identified. When the controller determines that no anomalies are identified, the process ends. Otherwise, when the controller determines at 460 that at least one anomaly has been identified, the process transitions to 470 to determine and apply a remedial action for correcting the anomaly. In one example where the controller determines that an anomaly occurred on a particular node because a route is missing, a possible remedial action that the controller can perform is refreshing the routes for the particular node to recover the missing route. In some embodiments, rather than applying a remedial action itself, the controller pushes the remedial action to one or more nodes to apply. After determining and applying the remedial action at 470, the process 400 ends.

In some embodiments, the controller performs proactive anomaly detection to predict and prevent future traffic impairments and/or performance degradation. For example, consider application traffic (e.g., a packet flow) originating from an SD-WAN edge node that traverses through a transit node before reaching a destination SD-WAN edge side network (e.g., branch-to-branch via a hub). In typical embodiments, there are multiple transit nodes in the SD-WAN for providing alternate paths to reach destinations. This topology can lead to asymmetric paths traversed the application traffic, in some embodiments, which can be detrimental to the performance of real-time and/or high-priority categories of application traffic (e.g., VoIP traffic). Accordingly, the controller, in some embodiments, can automatically detect this asymmetrical anomaly by analyzing collected trace monitoring results to identify the asymmetric path experienced by the application traffic, thus allowing for the controller to apply actions to prevent asymmetric paths for future flows of application traffic.

As mentioned above, the controller in some embodiments can set up trace monitoring rules in a hierarchical order so that dynamic anomaly detection can be grouped as per customer needs. The hierarchical order implies flow level and application level traceability, which can be further applied at a profile level (e.g., for all nodes matching a particular profile) and at the enterprise level (i.e., for all nodes in the enterprise). Based on the hierarchical level needed, the controller in some embodiments dynamically generates trace monitoring rules and pushes the rules to relevant sets of nodes in the enterprise.

Flow-level trace monitoring rules, in some embodiments, can specify full five-tuple match criteria and can be used to target a specific flow across one or more nodes. Going one step further, application-level trace monitoring rules can specify application criteria alone (e.g., application ID), and can be used to target specific application traffic across one or more nodes, according to some embodiments. At the profile-level, the controller in some embodiments sends out relevant trace monitoring rules to all nodes belonging to a particular profile or multiple profiles, while at the enterprise level, the controller in some embodiments sends out the relevant trace monitoring rules to all nodes belonging to the enterprise.

FIG. 5 illustrates a process 500 performed by the controller in some embodiments to detect anomalies using the hierarchical order described above. The process 500 starts (at 505) with the controller dynamically generating flow-level trace monitoring rules and providing the rules to a particular node in the enterprise (e.g., edge node 220, gateway 140, or hub 145). The controller then receives and analyzes (at 510) trace monitoring results, and determines (at 515) whether any anomalies are identified in the received results.

When the controller determines (at 515) that no anomalies have been identified, the process ends. Otherwise, when the controller determines at 515 that one or more anomalies have been identified, the process transitions to 520 to determine whether additional trace monitoring is needed (e.g., if the identified anomaly has the potential to occur for other flows and/or at other nodes). When the controller determines (at 520) that no additional trace monitoring is needed, the process ends.

Otherwise, when the controller determines at 520 that additional trace monitoring is needed, the process transitions to 525 to determine whether application-level trace monitoring has been performed (i.e., with regard to this detected anomaly). When the controller determines (at 525) that application-level trace monitoring has not yet been performed, the process transitions to 530 to dynamically generate application-level trace monitoring rules and provide the rules to the particular node. In some embodiments, rather than generating new rules, the controller refines the flow-level trace monitoring rules so that they apply to all flows having the same application ID as the flow for which the anomaly was first detected (e.g., by removing source and destination address/port information from the rules). After 530, the process transitions back to 510 to receive and analyze trace monitoring results.

When the controller determines at 525 that application-level trace monitoring has been performed, the process transitions to 535 to determine whether profile-level trace monitoring has been performed. When the controller determines at 535 that profile-level trace monitoring has not yet been performed, the process transitions to 540 to provide the application-level trace monitoring rules to all nodes belonging to the same profile as the particular node. For example, when the particular node is a gateway, the controller in some embodiments provides the rules to all gateways in the enterprise. After 540, the process transitions back to 510 to receive and analyze trace monitoring results.

Otherwise, when the controller determines at 535 that profile-level trace monitoring has been performed, the process transitions to 545 to provide the application-level trace monitoring rules to all nodes in the enterprise. The controller then receives and analyzes (at 550) trace monitoring results received from all of the nodes to identify anomalies and remedial actions for correcting the anomalies in the enterprise. The process then ends.

FIGS. 6A-6B, 7A-7B, and 7A-7C illustrate a set of example UIs provided by a controller, in some embodiments, for allowing a user (e.g., an administrator) to manually enter a trace request and review trace monitoring results. It should be noted that while these examples are described with a limited number of edge nodes, other embodiments of the invention can be implemented for a multitude of edge nodes (i.e., thousands) in an SD-WAN. Additionally, these examples are merely illustrative and real-life implementations of the UIs described herein may include additional, fewer, or different features than those shown and described.

FIG. 6A illustrates a first example UI 600. As shown, the UI 600 is split into two sections with the trace request 610 featured in the top half of the display and the node visualization 620 featured in the bottom half of the display. The trace request portion 610 includes a set of fillable boxes 612 that include trace name, source IP (Internet Protocol), destination IP, source port, destination port, application ID (AppID), and number of packets (i.e., a number of packets to be traced). In this example, the trace request has a trace name of “TraceB2BPathTest1” and specifies a destination IP of “10.0.1.25”, while the source IP, source port, destination port, and AppID are specified as “any”. Additionally, the trace request 610 specifies that 10 packets of this particular packet flow (i.e., packets with a destination IP of 10.0.1.25) should be traced.

In addition to the fillable boxes 612, the trace request portion 610 includes a set of check boxes 614 that allow a user to select specific edge nodes and gateways to perform the trace monitoring operation. The check boxes 614 also include an option to select to perform the trace monitoring operation at the enterprise level, meaning the trace monitoring rules would be provided to all nodes and gateways in the enterprise. In this example, a user has selected four edge nodes to perform the trace monitoring operation. When a user has finished filling out the trace request, selecting the “trace” button initiates the trace monitoring operation, and the results appear in the visualization portion 620.

The visualization portion 620 includes visual representations of the nodes selected to perform the trace monitoring operation (e.g., b1-edge1, b3-edge1, b4-edge1, and b5-edge1). As shown, the edge nodes b3-edge1 and b4-edge1 each include one pipeline, while the edge node b1-edge1 includes two pipelines and the edge node b5-edge1 includes 3 pipelines. Additionally, the visualization portion 620 includes routes traversed by the trace monitored packets between the edge nodes.

As shown, the edge nodes b3-edge1, b4-edge1, and b5-edge1 appear without any distinguishing features, while the edge node b1-edge1 appears with a bolded outline and the firewall stage 630 of its pipeline 1 is also bolded and darkened. The bold edge node and packet processing stage indicate that an anomaly was detected for that particular packet processing stage on that edge node, according to some embodiments. Similarly, the route 635 appears bolded and with a dashed line to indicate an anomaly was detected for that particular route, whereas the other routes are not distinguished in any way. Other embodiments may instead show the unproblematic edge nodes, packet processing stages, and routes in a first color (e.g., green), while showing the edge nodes, packet processing stages, and routes that have experienced an anomaly in a second color (e.g., red).

Each of the packet processing stages displayed in the UI are selectable according to some embodiments. For example, FIG. 6B illustrates the UI 600 after a user has selected (e.g., via the cursor) the firewall stage 630 of the edge node b1-edge1. The UI 600 now includes a pop-up display window 640 that includes information regarding the firewall stage 630. The window 640 includes packet flow information 642 regarding the packet flow processed by the firewall stage 630 during which the anomaly occurred. The packet flow information 642 includes the source IP “10.0.1.25” and destination IP “10.0.4.25” of the flow, the source port “58125” and destination port “0” of the flow, and the application ID “70” of the flow.

The window 640 also includes the time elapsed 644 indicating that it took 1898 ns to process the packet for which the anomaly was detected, the pipeline stage status 646 indicating the status of the firewall stage as “fail”, and an error description 648 indicating that the failure was due to an outbound policy. As described above, the controller in some embodiments provides suggested remedial actions for correcting anomalies. As the error description 648 indicates that the failure (i.e., anomaly) was due to an outbound policy, no suggested remedial actions are provided.

FIG. 7A illustrates a second example UI 700 of some embodiments that includes a second example trace request 710 and trace results 720. The trace request 710 includes a set of fillable boxes 712 that include the trace name “TraceB2BPathRem”, the source IP “10.0.5.25”, the destination IP “10.0.3.25”, and the number of packets “10” to be traced, while the source and destination ports and application ID are specified as “any”. Also, from the check boxes 714, a user has selected the edge nodes b3-edge1 and b5-edge1 to perform the trace monitoring operation. As described for the example UI 600, when a user has finished filling out the trace request 710, selecting the “trace” button 716 initiates the trace monitoring operation, and the results appear in the visualization portion 720.

The visualization portion 720 includes visualizations of the two selected edge nodes b3-edge1 and b5-edge1, each having a single pipeline. As shown, the edge node b3-edge1 appears with a bold outline and its routing stage 730 appears darkened and with a bold outline indicating that an anomaly has been detected on the edge node b3-edge1, specifically at the routing stage 730. In order to determine the cause of the anomaly, a user may select the routing stage 730 for more information.

FIG. 7B illustrates the UI 700 after a user has selected the routing stage 730 (e.g., with a cursor). The UI 700 now includes the pop-up display window 740 for the routing stage 730 of edge node b3-edge1. The window 740 includes packet flow information 742 that includes the source IP “10.0.3.25”, destination IP “10.0.5.25”, source port “21821”, destination port “0”, and application ID “70”. The window 740 also includes the time elapsed 744 indicating 0 ns elapsed during the processing of the packet at the routing stage 730, the pipeline stage status 746 indicating the status of the routing stage as “fail”, and the error description 748 specifying “edged_no-src-no-dest”, which may indicate a route is missing.

Unlike the window 640 in the example UI 600, the window 740 also includes a suggested action 750 indicating that it is possible that a route is missing and that it can be recovered by refreshing routes from the controller for the edge node b3-edge1, as well as a selectable button 752 to apply the suggested action. In some embodiments, such as when the controller generates trace monitoring rules based on a flow notification from a node, as described above, rather than based on a trace request from a user, the suggested action is automatically applied to correct the anomaly rather than relying on a command from a user.

FIG. 8A illustrates a third example UI 800 of some embodiments. The UI 800 includes the top trace request portion 810 and the bottom visualization portion 820. In this example, neither a trace name nor a number of packets are specified in the set of fillable boxes 812. Instead, only the destination IP “10.0.1.25” is specified, while the source IP, source and destination ports, and application ID are specified as “any”. Similarly, none of the check boxes 814 are selected.

Unlike the UIs 600 and 700 described above, the UI 800 also includes a dropdown menu 860 between the top portion 810 and bottom portion 820 that allows a user to select an archived trace (e.g., a trace monitoring operation initiated by the user at a prior time). In this case, the trace “TraceB2BPath” is currently selected from dropdown menu 860, as shown. As a result, the visualization portion 820 displays a set of nodes including b1-edge1, b3-edge1, b4-edge1, and b5-edge1. Each of the edge nodes, their packet processing stages, and the routes between them appear normal in the visualization portion 820 indicating that no anomalies were detected as far as a packet flow is concerned. To determine whether there are any issues within the pipelines themselves, a user may select the load performance button 862.

FIG. 8B illustrates the UI 800 after the load performance button 862 has been selected (i.e., as indicated by the cursor). Each of the edge nodes b1-edge1, b3-edge1, b4-edge1, and b5-edge1 now appear bold. For the edge node b1-edge1, the ingress and egress stages of the node's first pipeline are darkened and bolded, as are the QoS and egress stages of the node's second pipeline. Similarly, each of the egress stages on the nodes b3-edge1 and b5-edge1 are darkened and bolded, while the routing, NAT, and egress stages of the edge node b4-edge1 are darkened and bolded. Thus, between these 4 edge nodes, anomalies have been detected for 11 different packet processing stages. Like with the examples provided above, the packet processing stages in the UI 800 are selectable by a user.

FIG. 8C illustrates the UI 800 after a user selects the egress stage 830 in the first pipeline of the edge node b1-edge1. The UI now includes the pop-up display window 840 for the egress stage 830. The window 840 includes the packet flow information 842 specifying the source IP “10.0.1.25”, the destination IP “10.1.3.25”, the source port “40202”, the destination port “0”, and the application ID “70”. Additionally, the window 840 includes the time elapsed 844 indicating 67377 ns elapsed while processing a packet, the pipeline stage status 846 indicating the egress stage's status as “fail”, and the error description 848 indicating the error as “post send”. While embodiments of the invention may not specify whether a threshold for a particular metric has been exceeded, for the sake of clarity, the window 840 also indicates that the time elapsed 844 exceeds a threshold. Thus, there is an anomaly from a latency perspective for the egress stage 830.

Many of the above-described features and applications are implemented as software processes that are specified as a set of instructions recorded on a computer readable storage medium (also referred to as computer readable medium). When these instructions are executed by one or more processing unit(s) (e.g., one or more processors, cores of processors, or other processing units), they cause the processing unit(s) to perform the actions indicated in the instructions. Examples of computer readable media include, but are not limited to, CD-ROMs, flash drives, RAM chips, hard drives, EPROMs, etc. The computer readable media does not include carrier waves and electronic signals passing wirelessly or over wired connections.

In this specification, the term “software” is meant to include firmware residing in read-only memory or applications stored in magnetic storage, which can be read into memory for processing by a processor. Also, in some embodiments, multiple software inventions can be implemented as sub-parts of a larger program while remaining distinct software inventions. In some embodiments, multiple software inventions can also be implemented as separate programs. Finally, any combination of separate programs that together implement a software invention described here is within the scope of the invention. In some embodiments, the software programs, when installed to operate on one or more electronic systems, define one or more specific machine implementations that execute and perform the operations of the software programs.

FIG. 9 conceptually illustrates a computer system 900 with which some embodiments of the invention are implemented. The computer system 900 can be used to implement any of the above-described hosts, controllers, gateway and edge forwarding elements. As such, it can be used to execute any of the above described processes. This computer system includes various types of non-transitory machine readable media and interfaces for various other types of machine readable media. Computer system 900 includes a bus 905, processing unit(s) 910, a system memory 925, a read-only memory 930, a permanent storage device 935, input devices 940, and output devices 945.

The bus 905 collectively represents all system, peripheral, and chipset buses that communicatively connect the numerous internal devices of the computer system 900. For instance, the bus 905 communicatively connects the processing unit(s) 910 with the read-only memory 930, the system memory 925, and the permanent storage device 935.

From these various memory units, the processing unit(s) 910 retrieve instructions to execute and data to process in order to execute the processes of the invention. The processing unit(s) may be a single processor or a multi-core processor in different embodiments. The read-only-memory (ROM) 930 stores static data and instructions that are needed by the processing unit(s) 910 and other modules of the computer system. The permanent storage device 935, on the other hand, is a read-and-write memory device. This device is a non-volatile memory unit that stores instructions and data even when the computer system 900 is off. Some embodiments of the invention use a mass-storage device (such as a magnetic or optical disk and its corresponding disk drive) as the permanent storage device 935.

Other embodiments use a removable storage device (such as a floppy disk, flash drive, etc.) as the permanent storage device. Like the permanent storage device 935, the system memory 925 is a read-and-write memory device. However, unlike storage device 935, the system memory is a volatile read-and-write memory, such as random access memory. The system memory stores some of the instructions and data that the processor needs at runtime. In some embodiments, the invention's processes are stored in the system memory 925, the permanent storage device 935, and/or the read-only memory 930. From these various memory units, the processing unit(s) 910 retrieve instructions to execute and data to process in order to execute the processes of some embodiments.

The bus 905 also connects to the input and output devices 940 and 945. The input devices enable the user to communicate information and select commands to the computer system. The input devices 940 include alphanumeric keyboards and pointing devices (also called “cursor control devices”). The output devices 945 display images generated by the computer system. The output devices include printers and display devices, such as cathode ray tubes (CRT) or liquid crystal displays (LCD). Some embodiments include devices such as touchscreens that function as both input and output devices.

Finally, as shown in FIG. 9 , bus 905 also couples computer system 900 to a network 965 through a network adapter (not shown). In this manner, the computer can be a part of a network of computers (such as a local area network (“LAN”), a wide area network (“WAN”), or an Intranet), or a network of networks (such as the Internet). Any or all components of computer system 900 may be used in conjunction with the invention.

Some embodiments include electronic components, such as microprocessors, storage and memory that store computer program instructions in a machine-readable or computer-readable medium (alternatively referred to as computer-readable storage media, machine-readable media, or machine-readable storage media). Some examples of such computer-readable media include RAM, ROM, read-only compact discs (CD-ROM), recordable compact discs (CD-R), rewritable compact discs (CD-RW), read-only digital versatile discs (e.g., DVD-ROM, dual-layer DVD-ROM), a variety of recordable/rewritable DVDs (e.g., DVD-RAM, DVD-RW, DVD+RW, etc.), flash memory (e.g., SD cards, mini-SD cards, micro-SD cards, etc.), magnetic and/or solid state hard drives, read-only and recordable Blu-Ray® discs, ultra-density optical discs, any other optical or magnetic media, and floppy disks. The computer-readable media may store a computer program that is executable by at least one processing unit and includes sets of instructions for performing various operations. Examples of computer programs or computer code include machine code, such as is produced by a compiler, and files including higher-level code that are executed by a computer, an electronic component, or a microprocessor using an interpreter.

While the above discussion primarily refers to microprocessor or multi-core processors that execute software, some embodiments are performed by one or more integrated circuits, such as application specific integrated circuits (ASICs) or field programmable gate arrays (FPGAs). In some embodiments, such integrated circuits execute instructions that are stored on the circuit itself

As used in this specification, the terms “computer”, “server”, “processor”, and “memory” all refer to electronic or other technological devices. These terms exclude people or groups of people. For the purposes of the specification, the terms “display” or “displaying” mean displaying on an electronic device. As used in this specification, the terms “computer readable medium,” “computer readable media,” and “machine readable medium” are entirely restricted to tangible, physical objects that store information in a form that is readable by a computer. These terms exclude any wireless signals, wired download signals, and any other ephemeral or transitory signals.

While the invention has been described with reference to numerous specific details, one of ordinary skill in the art will recognize that the invention can be embodied in other specific forms without departing from the spirit of the invention. For instance, several of the above-described embodiments deploy gateways in public cloud datacenters. However, in other embodiments, the gateways are deployed in a third party's virtual private cloud datacenters (e.g., datacenters that the third party uses to deploy cloud gateways for different entities in order to deploy virtual networks for these entities). Thus, one of ordinary skill in the art would understand that the invention is not to be limited by the foregoing illustrative details, but rather is to be defined by the appended claims. 

The invention claimed is:
 1. A method for detecting and remediating anomalies in a software-defined wide area network (SD-WAN) connecting a plurality of branch sites, the SD-WAN comprising a controller, at least one enterprise datacenter, and at least one node at each branch site, each node at each branch site comprising a set of packet processing stages for processing packet flows that traverse the SD-WAN, the method comprising: at the controller: receiving, from a particular node of a particular branch site in the SD-WAN, a flow notification indicating an anomaly in processing of packets that is detected by the particular node; dynamically generating a set of trace monitoring rules based on the detected anomaly and providing the set of trace monitoring rules to the particular node and at least one other node of another branch site in the SD-WAN, wherein the set of trace monitoring rules specify one or more packet flows to be traced by the packet processing stages of the particular node and the at least one other node; receiving, from the particular node of the particular branch site and the at least one other node of the other branch site, a set of trace monitoring results collected in response to the provided set of trace monitoring rules; and identifying (i) one or more anomalies and (ii) one or more dynamic actions to correct the identified anomalies by analyzing the trace monitoring results.
 2. The method of claim 1 further comprising pushing the one or more dynamic actions to the particular node and the at least one other node, wherein each node performs the one or more dynamic actions to correct the identified anomalies.
 3. The method of claim 1, wherein the set of trace monitoring rules is a first set of trace monitoring rules, and the set of trace monitoring results is a first set of trace monitoring results, the method further comprising: receiving, through a user interface (UI), a request to trace a particular packet flow; based on the request, dynamically generating a second set of trace monitoring rules for tracing the particular packet flow specified in the request; providing the second set of trace monitoring rules to a particular set of nodes in the SD-WAN; receiving, from the particular set of nodes, a second set of trace monitoring results collected by the particular set of nodes in response to the provided second set of trace monitoring rules; and identifying one or more anomalies detected by the particular set of nodes by analyzing the second set of trace monitoring results.
 4. The method of claim 3, wherein the particular set of nodes comprises nodes specified in the request for tracing the particular packet flow.
 5. The method of claim 4, further comprising providing, through the UI, a visualization of the particular set of nodes, the packet processing stages of each node in the set of nodes, and one or more paths between the particular set of nodes traversed by packets in the particular packet flow.
 6. The method of claim 5, wherein packet processing stages, nodes, and paths on which no anomalies are detected are identified by a first color in the visualization, wherein packet processing stages, nodes, and paths on which at least one anomaly is detected are identified by a second color in the visualization.
 7. The method of claim 6, wherein each packet processing stage in the visualization is selectable, wherein selecting a packet processing stage causes the UI to provide a pop-up window comprising information relating to the selected packet processing stage.
 8. The method of claim 7, wherein the information comprises at least (i) source and destination network addresses, (ii) source and destination ports, (iii) AppID, (iv) time elapsed, and (v) stage status.
 9. The method of claim 8, wherein for packet processing stages that have experienced an anomaly, the information further comprises a description of the anomaly.
 10. The method of claim 9, wherein the information further comprises a suggested remedial action for correcting the anomaly, the method further comprising: receiving, through the UI, a selection to apply the suggested remedial action; and directing the particular set of nodes to apply the remedial action.
 11. The method of claim 3, wherein the request specifies at least a number of packets to be traced.
 12. The method of claim 11, wherein the request further comprises any of (i) a source network address, (ii) a destination network address, (iii) a source port, (iv) a destination port, (v) an AppID.
 13. The method of claim 10, wherein the particular set of nodes is a first set of nodes, the method further comprising instructing a second set of nodes in the plurality of nodes to implement the at least one remedial action to prevent anomalies on the second set of nodes.
 14. The method of claim 1, wherein receiving the set of trace monitoring results from the particular node and the at least one other node further comprises receiving the set of trace results from a first trace monitor agent executing on the particular node and a second trace monitor agent executing on the at least one other node.
 15. The method of claim 14, wherein the first and second trace monitor agents receive trace results collected by the packet processing stages of the particular node and the at least one other node, respectively.
 16. The method of claim 1 further comprising providing a second set of trace monitoring rules to a set of nodes including the particular node, wherein the second set of trace monitoring rules are specified for one of (i) packet flows for a particular application, (ii) packet flows between a specified set of nodes in the plurality of nodes, and (iii) all packet flows between the plurality of nodes in the SD-WAN.
 17. The method of claim 1, wherein the set of trace monitoring rules further comprise a set of exception rules, wherein each exception rule defines a threshold value for identifying anomalous behavior on the particular node and the at least one other node.
 18. A non-transitory machine readable medium storing a program for execution by a set of processing units, the program for detecting and remediating anomalies in a software-defined wide area network (SD-WAN) connecting a plurality of branch sites, the SD-WAN comprising a controller, at least one enterprise datacenter, and at least one node at each branch site, each node at each branch site comprising a set of packet processing stages for processing packet flows that traverse the SD-WAN, the program comprising sets of instructions for: at the controller: receiving, from a particular node of a particular branch site in the SD-WAN, a flow notification indicating an anomaly in processing of packets that is detected by the particular node; dynamically generating a set of trace monitoring rules based on the detected anomaly and providing the set of trace monitoring rules to the particular node and at least one other node of another branch site in the SD-WAN, wherein the set of trace monitoring rules specify one or more packet flows to be traced by the packet processing stages of the particular node and the at least one other node; receiving, from the particular node of the particular branch site and the at least one other node of the other branch site, a set of trace monitoring results collected in response to the provided set of trace monitoring rules; and identifying (i) one or more anomalies and (ii) one or more dynamic actions to correct the identified anomalies by analyzing the trace monitoring results.
 19. The non-transitory machine readable medium of claim 18 further comprising a set of instructions for pushing the one or more dynamic actions to the particular node and the at least one other node, wherein each node performs the one or more dynamic actions to correct the identified anomalies.
 20. The non-transitory machine readable medium of claim 18, wherein the set of trace monitoring rules is a first set of trace monitoring rules, and the set of trace monitoring results is a first set of trace monitoring results, the program further comprising sets of instructions for: receiving, through a user interface (UI), a request to trace a particular packet flow; based on the request, dynamically generating a second set of trace monitoring rules for tracing the particular packet flow specified in the request; providing the second set of trace monitoring rules to a particular set of nodes in the SD-WAN; receiving, from the particular set of nodes, a second set of trace monitoring results collected by the particular set of nodes in response to the provided second set of trace monitoring rules; and identifying one or more anomalies detected by the particular set of nodes by analyzing the second set of trace monitoring results. 